Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Tuesday, October 16, 12
OpenStack Identity             State of the Project: Keystone                                               Joe Heck      ...
me...                          Joe Heck         choose to live    @heckj              here                                ...
Outline                 ‣   Why keystone                 ‣   What is keystone                 ‣   Basic concepts          ...
Why Keystone                 ‣   the first “openstack common”                 ‣   common internal API expressing relevant i...
What is Keystone                 ‣   single source of authentication, authorization                     ‣    same account ...
What is Keystone - core internal services                 ‣   identity                 ‣   policy                 ‣   toke...
Basic Concepts - Identity                 ‣   Tenant == Project                     ‣    basic unit of ownership          ...
Basic Concepts - Policy                 ‣   Policy file - private/internal in Essex                     ‣    Nova, Glance, ...
Basic Concepts - Token                 ‣   Token                     ‣    arbitrary string to be used in HTTP headers     ...
Basic Concepts - Catalog                 ‣   service --> endpoint                 ‣   OpenStack Services                  ...
TOKEN: 87d45c4c6e9b445997da68f399b49704                 ‣   {uaccess: {userviceCatalog: [{uendpoints: [{uadminURL: uhttp:/...
High Level Architecture                 ‣   Typical OpenStack Pattern                     ‣    WSGI Application, configured...
High Level Architecture                 ‣   operational facade to existing systems                     ‣    identity      ...
Supported Backends                ‣    Identity                     ‣    SQL, LDAP, Active Directory, PAM, KeyValue       ...
Keystone history : Cactus release and earlier                 ‣   protocols and mechanisms originally disparate in        ...
Keystone history : Diablo                 ‣   Aggressively prototyped                     ‣    OpenStack internal token-ba...
Keystone history : Essex                 ‣   Consolidation                     ‣    re-implemented to simplify and refacto...
Keystone history : Folsom                 ‣   PKI and prep for Grizzly+                     ‣    Enabled PKI based tokens ...
Keystone future : Grizzly                 ‣   Implement V3 API                     ‣    auth changes effect and impact ever...
Keystone future : Grizzly                 ‣   Extend the authorization mechanisms                     ‣    support delegat...
Keystone future : Grizzly (learning)                 ‣   Federation                     ‣    Discussion of use cases and s...
Joe Heck                                       @heckj                                heckj@mac.com                        ...
Upcoming SlideShare
Loading in …5
×

Oct 2012 state of project keystone

2,237 views

Published on

OpenStack Design Summit - Grizzly: State of the Project - Keystone

Published in: Technology
  • Be the first to comment

Oct 2012 state of project keystone

  1. 1. Tuesday, October 16, 12
  2. 2. OpenStack Identity State of the Project: Keystone Joe Heck Project Technical LeadTuesday, October 16, 12
  3. 3. me... Joe Heck choose to live @heckj here grew up hereTuesday, October 16, 12
  4. 4. Outline ‣ Why keystone ‣ What is keystone ‣ Basic concepts ‣ High level architecture ‣ Keystone history review ‣ Grizzly plansTuesday, October 16, 12
  5. 5. Why Keystone ‣ the first “openstack common” ‣ common internal API expressing relevant identity information to OpenStack projects ‣ need for knowledge of OpenStack service endpointsTuesday, October 16, 12
  6. 6. What is Keystone ‣ single source of authentication, authorization ‣ same account and credentials for starting a VM instance and accessing a container in object storage ‣ enforcement of authorization policies at the service level, not centralized ‣ means of expressing API endpoints ‣ basic service catalogTuesday, October 16, 12
  7. 7. What is Keystone - core internal services ‣ identity ‣ policy ‣ token ‣ catalogTuesday, October 16, 12
  8. 8. Basic Concepts - Identity ‣ Tenant == Project ‣ basic unit of ownership ‣ collection of resources (vm, volume, container, etc) ‣ User ‣ individual or service ‣ identified by basic credentials ‣ Role ‣ name relationship between a user and tenantTuesday, October 16, 12
  9. 9. Basic Concepts - Policy ‣ Policy file - private/internal in Essex ‣ Nova, Glance, and Keystone ‣ extending to Cinder, Quantum ‣ Simple rule based mechanism for expressing authorization ‣ Enforcement at the servicesTuesday, October 16, 12
  10. 10. Basic Concepts - Token ‣ Token ‣ arbitrary string to be used in HTTP headers ‣ identity associated with token retrievable by other OpenStack services ‣ token ‣ user, tenant, roles ‣ catalogTuesday, October 16, 12
  11. 11. Basic Concepts - Catalog ‣ service --> endpoint ‣ OpenStack Services ‣ identity ‣ compute ‣ volume ‣ image ‣ ec2 ‣ object-storeTuesday, October 16, 12
  12. 12. TOKEN: 87d45c4c6e9b445997da68f399b49704 ‣ {uaccess: {userviceCatalog: [{uendpoints: [{uadminURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, uinternalURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, upublicURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, uregion: uRegionOne}], uendpoints_links: [], uname: uVolume Service, utype: uvolume}, {uendpoints: [{uadminURL: uhttp://image:9292/v1, uinternalURL: uhttp://image:9292/v1, upublicURL: uhttp://image:9292/v1, uregion: uRegionOne}], uendpoints_links: [], uname: uImage Service, utype: uimage}, ... ... ... {uendpoints: [{uadminURL: uhttp://ident:35357/v2.0, uinternalURL: uhttp://ident:5000/v2.0, upublicURL: uhttp://ident:5000/v2.0, uregion: uRegionOne}], uendpoints_links: [], uname: uIdentity Service, utype: uidentity}], utoken: {uexpires: u2012-04-19T00:06:53Z, uid: u87d45c4c6e9b445997da68f399b49704, utenant: {udescription: None, uenabled: True, uid: uc566cb3adfab4f4a859250f4f7d4f56c, uname: udemo}}, uuser: {uid: u30e5d97149cf4621b9dbeb7681917aed, uname: ufrank, uroles: [{uid: u089c23c4f82f4c9d8882f6919dd51103, uname: uAdmin}, {uid: uda104b278a2b463e89dd5e072740702e, uname: uMember}], uroles_links: [], uusername: ufrank}}}Tuesday, October 16, 12
  13. 13. High Level Architecture ‣ Typical OpenStack Pattern ‣ WSGI Application, configured with Paste ‣ URI routes mapped to configurable backends ‣ Configurable backends per internal service: ‣ SQL ‣ LDAP ‣ key-value store ‣ ...yours...Tuesday, October 16, 12
  14. 14. High Level Architecture ‣ operational facade to existing systems ‣ identity ‣ token ‣ policy ‣ catalogTuesday, October 16, 12
  15. 15. Supported Backends ‣ Identity ‣ SQL, LDAP, Active Directory, PAM, KeyValue ‣ Catalog ‣ SQL, Template, KeyValue ‣ Token ‣ SQL, Memcache, KeyValue ‣ Policy ‣ RulesTuesday, October 16, 12
  16. 16. Keystone history : Cactus release and earlier ‣ protocols and mechanisms originally disparate in compute and object storage ‣ called “auth v1” ‣ separate accounts in nova and swift ‣ glance using both, highlighted the issueTuesday, October 16, 12
  17. 17. Keystone history : Diablo ‣ Aggressively prototyped ‣ OpenStack internal token-based HTTP API ‣ administrative API, separate ports ‣ lots of changes, right up through the releaseTuesday, October 16, 12
  18. 18. Keystone history : Essex ‣ Consolidation ‣ re-implemented to simplify and refactor architecture ‣ architecture shift to focus on independent drivers ‣ migrated to administrative CRUD operations ‣ maintained 100% API compatibilityTuesday, October 16, 12
  19. 19. Keystone history : Folsom ‣ PKI and prep for Grizzly+ ‣ Enabled PKI based tokens ‣ kept everything rock solid ‣ maintained 100% API compatibility ‣ Resolved bugs, dealt with security issues as they were uncovered ‣ lessons learned led to a V3 identity API ‣ started implementation on V3 APITuesday, October 16, 12
  20. 20. Keystone future : Grizzly ‣ Implement V3 API ‣ auth changes effect and impact every project ‣ consolidate code into Oslo (openstack-common) ‣ help drive consolidated policy and roles changes through all projects ‣ Consolidate policy files ‣ focus on documentation, example configurationsTuesday, October 16, 12
  21. 21. Keystone future : Grizzly ‣ Extend the authorization mechanisms ‣ support delegation/impersonation ‣ ActiveDirectory support ‣ externalizing authentication ‣ Moving default token to PKI ‣ CLI and common authenticationTuesday, October 16, 12
  22. 22. Keystone future : Grizzly (learning) ‣ Federation ‣ Discussion of use cases and setup ‣ Learn what’s needed to fully support trust delegationTuesday, October 16, 12
  23. 23. Joe Heck @heckj heckj@mac.com finiTuesday, October 16, 12

×